pkg-vulnerabilities: add last days CVEs
+ ImageMagick{,6},
binutils (no reference to upstream, recheck if fixed once upstream bug
reports /information are available),
cpp-httplib, expat, ffmpeg,
giflib (no upstream information, assume not fixed),
glpi, gpac, gst-plugins1-{good,bad,ugly},
htslib,
inetutils (no stable release with fixes),
jenkins,
libarchive (not fixed, possible PR under review),
libexif (fixed upstream, no stable release with fix),
libsoup (some not fixed),
mongo-c-driver, mongodb, mumble,
ncurses (under discussion, double-check later, assume valid and not fixed),
nghttp2, p5-XML-Parser, p5-YAML-Syck, py-Glances, py-OpenSSL, py-asn1,
py-authlib, py-simpleeval,
python (no stable releases with the fix),
radare2, samtools, wolfssl, xpdf
ahc: Fix support for multi-channel PCI controllers.
Some old EISA controllers driven by ahc had two channels on one
controller (aka "TWIN" channels), while all later PCI models
supporting multiple channels did so by having multiple controllers
in one PCI device, each being a separate PCI function.
The ahc interrupt handler wrongly assumed that anything but channel
'A' is always the 2nd channel of a TWIN channel controller, passing
sc_channel_b to scsipi_channel_{freeze,thaw}(). This of course is
wrong for multi-channel PCI ahc controllers, leading to a immediate
panic when there's anything connected to any channel but 'A'.
pkgsrc/pkgtools/depgraph: update depgraph to 20260319 to fix a portability
bug in the shell function finding paths for executables. No more confusing
messages on Mac/Darwin now.
p5-XML-Parser: update to 2.48.
Security fix release.
2.48 2026-03-18 (by Todd Rinaldo)
Fixes:
- GH #39 Fix off-by-one heap buffer overflow in st_serial_stack growth check (CVE-2006-10003)
- GH #64 Fix buffer overflow in parse_stream when filehandle has :utf8 layer (CVE-2006-10002)
- GH #27 Prevent symbol table auto-vivification in Expat::parse
- GH #30 Set UTF-8 flag on sysid in ExternEnt handler and fix Debug style for non-ASCII chars
- GH #36 Prevent position overflow for large files in line/column/error paths
- GH #41 Fix xml_escape to escape all occurrences of quote characters
- GH #44 Fix lexical filehandle handling in ExternEnt handler return values
- GH #45 Clean up compiler warnings in Expat.xs
- GH #47 Fix routing of character data after root element to Char handler
- GH #48 Fix current_byte overflow for large XML files on 32-bit perl
- GH #50 Propagate xpcroak errors in Subs style instead of swallowing them
- GH #53 Fix parameter entity references in internal DTD subset breaking handler dispatch
[51 lines not shown]
www/firefox: Update to 148.0.2
Changelog:
148.0.2:
Fixed
* Fixed an issue where searches entered in the Firefox Home search field were
incorrectly redirected to the address bar for some users who had disabled
search handoff behavior via advanced settings. (Bug 2017049)
* Fixed an issue where some web-based rich text editors stopped applying
formatting, such as bold or italic. (Bug 2020927)
* Fixed an issue where videos could autoplay unexpectedly on YouTube despite
autoplay being blocked, particularly impacting screen reader users. (Bug
2020233)
* Fixed an issue that caused some absolutely positioned elements meant to be
centered, for example, using margin: auto with inset: 0, to appear
[17 lines not shown]
